TOWARD A THREAT MODEL FOR

STORAGE SYSTEMSHASAN ET AL.

Nishita IslamMetric ID: C09XXXX

Dept. of CSE, IIUC

ABSTRACT

The security is a very important part for a greater storage systemsand day by day maintaining security became a crucial task for us.

There is the lack of a comprehensive process to designing storageprotection solutions.

Designing protection for storage systems is done by utilizingproactive system engineering rather than analyzed securitythreads.

The goal of thread modeling is classify security threads into somegeneral classes with known storage protection system.

This is the first paper for domain-specific threat modeling for storagesystems

ABSTRACT (CONT.)

Several protection challenges have been discussed which are

unique to storage systems.

This paper propose two different processes to creating a threat

model for storage systems

Based on classical security principles (Confidentiality, Integrity,Availability, Authentication, or CIAA).

Based on the Data Lifecycle Model.

INTRODUCTION

Now a days database protection is a very challenging task.

The risk of protection is increases as now a days enterprises are

migrated form local storage to networked storage systems.

Also for the data centralization in a fixed place and distributing

data across several geographical areas.

Govt. also have regulations for protecting data's and several

rule/law for that are already defined i.e. Health Insurance

Portability and Accountability Act (HIPAA).

INTRODUCTION (CONT.)

Some experts suggest that storage can be secured following the

security models set forth in other domains of computing, such as

application or network security.

These domains rely on the use of strong authentication

mechanisms, ensuring the right authorization systems are in place,

replication for availability, integrity detection mechanisms, and the

use of encryption for confidentiality.

Unfortunately, none of these methods alone—especially

encryption—is a comprehensive solution for protecting storage

systems.

INTRODUCTION (CONT.)

Storage protection has some tradeoffs as specified below:

The use of encryption may provide storage confidentiality but may

also hamper performance, usability, and introduce denial-of-

service vulnerabilities.

The use of space replication may provide storage availability (with

performance and cost tradeoffs) but may also increase storage

exposure to confidentiality and integrity attacks.

Time replication may provide storage protection (with performance

and cost tradeoffs) but only if detected and restored within a

backup or versioning window.

INTRODUCTION (CONT.)

In design stage the security engineer cannot just utilize every

protection technique (since their results are often in conflict) but

must rather weigh the value of each security countermeasure

versus the threats and vulnerabilities present in the specific

environment.

So it is important to understand all the threats and vulnerabilities

present in a storage system before designing or implementing any

storage protection solution.

Because the threats determine the security countermeasures.

INTRODUCTION (CONT.)

Threat modeling is a proactive

systematic engineering approach to

identifying all possible threats and

vulnerabilities in a complex system,

regardless of the probability of

occurrence.

In that paper they conceptualize the

appropriate place for threat modeling

as the basis upon which to build other

security engineering processes.

The figure is shown here.

CHALLENGES OF PROTECTING

STORAGE SYSTEMS

The proposed threat modeling in this paper is independent of any

of these storage types.

They summarize the unique challenges of storage protection as

below:

Ever-growing data volume

Legacy systems storing legacy data

Innovative systems require backward interoperability

More centralization on localized arrays

More decentralization with accesses over networks

Increasing compliance requirements

THREAT MODELING PROCESSES FOR

STORAGE

Creating a satisfactory threat model requires systematic andrepeatable processes.

It cannot be accomplished by simply brainstorming an attacker’spossible intentions.

An attacker only has to find one security flaw to compromise anentire storage system.

Thus, it is important to be systematic during the threat modelingprocess to ensure that all known and unknown threats andvulnerabilities can be addressed.

Understanding the attacker type is important to understand theresources and capabilities they have at their disposal.

THREAT MODELING PROCESSES FOR

STORAGE (CONT.)

In a generic storage system, they identify the following incomplete

list of assets that may be targeted by attackers:

Data blocks

Metadata

Log files

Buffer cache

File handles

Communication channel

Storage media

Device drivers

Data management software

Data availability

Data secrecy

Data integrity

Data consistency

THREAT MODELING PROCESSES FOR

STORAGE (CONT.)

In a generic storage system, we identify the following incomplete

list of access entry points that may be exploited by attackers:

Access data from outside through network connection

Access data from inside via trusted access or system compromise

Physical access to SAN fabric

Management interface from remote location to SAN fabric

Compromised server accessing data and SAN fabric

Based on attacker capability, asset goals, and access entry points,

they propose two processes to creating a threat model for storage

systems.

THREAT MODELING PROCESSES FOR

STORAGE (CONT.)

The first process evaluates storage threats and vulnerabilities

organized in terms of classical security properties: confidentiality,

integrity, availability, and authentication.

They call this the CIAA process.

A second process involves identifying the value of the data being

protected and mapping the data paths within the environment to

ensure that they are fully protected at-rest and in-flight.

They call this the Data Lifecycle process.

THE CIAA THREAT MODEL PROCESS

Confidentiality attacks attempt to read information from a storage

system without proper authorization.

They identified the following confidentiality attacks on storage

systems:

Sniffing Storage Traffic

Snooping on Buffer Cache

Snooping on Deleted Storage Blocks

Snooping on Deallocated Memory

File System Profiling

THE CIAA THREAT MODEL PROCESS (CONT.)

Integrity attacks attempt to modify information in a storage system

without proper authorization.

They briefly discussed the following integrity attacks:

Storage Jamming

Modifying Metadata

Subversion Attacks

THE CIAA THREAT MODEL PROCESS (CONT.)

Availability attacks attempt to make data or storage services

unavailable for a period of time.

The following list shows different types of availability attacks on

storage systems:

Exhausting Log Space

Exhausting Data Blocks

Exhausting Metadata Space

Creating Redundant Versions

Exhausting File Handles

Flash Memory Attacks

Attacks on Storage-Related OS

Structures

Fragmentation Attack

Deletion of Data

THE CIAA THREAT MODEL PROCESS (CONT.)

Authentication Attacks occur when an attacker masquerades as a

legitimate user identity (using a purloined password or credential)

or an attack storage device masquerades as a legitimate storage

device.

They discussed the following two types of authentication attacks on

storage systems:

Storage User Masquerading

Storage Device Masquerading

THE CIAA THREAT MODEL PROCESS (CONT.)

They treat physical attacks as a separate group from CIAA since

they are best dealt with by organizational policies for physical

security (outside the scope of computer security).

In CIAA attacks, it was assumed that the storage hardware is

physically secure and the only way an attacker can launch attacks

is through system vulnerabilities.

The following list shows examples of physical attacks against

storage systems:

Power Disruption

Network Disruption

Storage Theft

Data Recovery from

Discarded Storage Media

Physical Destruction of

Storage Media

Hardware Trojan

THE DATA LIFECYCLE THREAT MODEL

PROCESS

As long as data lives in a computer system, it is susceptible to

exposure.

An alternate and equally valid storage threat model can be based

on the Data Lifecycle Model by examining the types of threats that

can occur at different stages of data state from creation to

extinction.

They organize storage attacks into six groups according to the

storage Data Lifecycle.

Physical attacks are not separated in the Data Lifecycle threat

modeling process since each stage does not distinguish whether

the data is in electronic or physical form.

THE DATA LIFECYCLE THREAT MODEL

PROCESS (CONT.)

Figure: Storage Data Lifecycle.

THE DATA LIFECYCLE THREAT MODEL

PROCESS (CONT.)

Figure 3: Storage Attacks Based on Data Lifecycle.

THE DATA LIFECYCLE THREAT MODEL

PROCESS (CONT.)

They briefly discussed the different stages of the Data Lifecycle

Model as specified below:

Data Creation/Transmission

Confidentiality

Integrity

Availability

Authentication

THE DATA LIFECYCLE THREAT MODEL

PROCESS (CONT.)

Data Reception

Confidentiality

Integrity

Availability

Authentication

Output Preparation

Confidentiality

Integrity

Availability

Authentication

THE DATA LIFECYCLE THREAT MODEL

PROCESS (CONT.)

Data Retrieval

Confidentiality

Integrity

Availability

Authentication

Data Backup

Confidentiality

Integrity

Availability

Authentication

THE DATA LIFECYCLE THREAT MODEL

PROCESS (CONT.)

Data Deletion

Confidentiality

Integrity

Availability

Authentication

THREATS AND STANDARDS

Important for the designing safe and secure system.

Fibre Channel Security Protocol (FC-SP), and the Storage NetworkIndustry Association’s Storage Management Initiative Specification(SMI-S) storage security standards facilitate storage protection bybuilding consensus between vendors to allow interoperability andbroader heterogeneous approaches.

The FC-SP includes protocols to authenticate and establish secrets forFibre Channel entities, protocols for frame-by-frame integrity andconfidentiality, and protocols to define and distribute security policieswithin the fabric.

The SMI specification provides a common approach to managingdevices in a storage network, using the common information model(CIM) as a foundation and SSL for secure management.

THREATS AND STANDARDS (CONT.)

A counter argument on the use of standards for storage security is

that a widely implemented standard must be solid since any

vulnerability in a standard implementation would be very attractive

to attackers to use as part of a class-break exploit (standard

becomes a threat).

For this reason some protectors advocate non-standard storage

implementations based on security-by-obscurity.

CONCLUSION

Storage systems present unique security challenges.

In this paper, we present two systematic threat modeling processes

upon which to base protection for storage systems:

The CIAA process

The data lifecycle model process

This is the first paper to present systematic processes toward threat

modeling for storage systems.

The first CIAA process organizes threats and vulnerabilities into

classes of attacks to match existing protection techniques for

Confidentiality, Integrity, Availability, and Authentication.

CONCLUSION

The second Data Lifecycle process focuses on the most important

asset of a storage system—data—and traces the data lifecycle

within an environment to ensure it is fully protected at each stage.

Within each process, they illustrate each class of threats and

vulnerabilities being examined with specific attack instances.

The purpose is not to enumerate every possible attack instance but

rather to show how all attacks can be classified and thus

addressed by protection techniques facilitated by either of the

threat modeling processes they have introduced.

This work is an initialization on how to better design and implement

storage protection solutions against storage threats.